RD Gateway

Hello,
We've set up RD services on a test server here, all of the roles bar virtualisation installed onto one server. I've setup an application to get the desktop in remote app services. The problem we have is that I get an RD Gateway error on running this application, even if it's run on a client in the internal network. Further complication is that for external users, they are pointing to a forwarding domain name which is not the same as the internal FQDN of the RD server, which I suspect is confusing the certificates which I'm creating from the server. Any help gratefully received!!!!

Hi there, thanks for the comments. Have attached the error message as a jpeg. Unfortunately we're a school., so cost is a bit of an issue regarding the certificate. Is there any way I can test to know for certain that it's a certification issue? Sorry to whinge!!!Untitled.jpg

Incidentally, I should have added that if I try and connect to the desktop using the remote desktop tab of RDweb (ie: not the remote app desktop connection), I can only connect (internally) using the IP address of the RDweb server, not the computer name. Apologies if this opens up another can of worms, though I can live with just inputting the IP address.

Many thanks for your patience. Our local server is the DNS server for our network, but our LEA is technically our ISP. We've been given the IP of 10.0.100.254 and 253 as our DNS servers, and 10.0.100.254 is the address given in the return for nslookup. It read thusly:

Ummmm, yeah. Guess what my name is too! They're pretty loose on naming conventions in school! Ran the nslookup for the domain. Got the same result as before. Ran the registerdns on the rd server, it showed the attachment. Flushed the dns locally, re ran nslookup for the rdserver and got the same result as before.registerdns.jpg

I'm assuming that ashgrove.int is an internal active directory domain?

Can you run nslookup again.

This time, type:

server xxx.xxx.xxx.xxx
ashgrove.int

And then:

andy.ashgrove.int

Where xxx.xxx.xxx.xxx is the IP address of the domain controller?

What I think is happening, is that the DNS server being used is not configured to resolve addresses on the LAN, but if you have active directory then the chances are the domain controller(s) will be configured as DNS server(s).

If that last nslookup works, then can you edit the network adapter properties and change the DNS server entry to point to the domain controller IP address and try the RD connection again?

Awesome! Set the client card to DC as DNS and loopback as secondary. Got through straight away. That's that thatted then. As to the external machine, I'm still getting that same error message from the remote desktop app.

By the way - don't set up a loopback address for the second DNS server. If it can't reach the first one, it'll try the second and as that's itself, it'll fail.

Not a problem on a workstation of course but could be on a server.

To access the RD Web Gateway from an external client, you need a public IP address and the relevant external DNS entry (this will usually be handled by your LEA).

So what you need to do, is decide on a suitable external name (for example, remote.school.ac.uk) and ask your LEA to register this and to forward port 443 and 3389 on their managed firewall to your Andy. server.

I'm assuming here, but with any educational establishment I've worked with, it's been a fully managed firewall and they do this.

You then need to procure an externally signed certificate (they really aren't expensive) that will include, as a minimum:

remote.school.ac.uk
andy.ashgrove.int
andy

Once that is done, you should get access to the site and connect.

We still have to consider your internal DNS though.

Another assumption - your workstations are all set to DHCP (i.e. pick up their IP address automatically)?

And that they all use the gateway as the DNS server?

You need to log into your domain controller (I'm assuming again, but I'm going to assume it's the DHCP server) and from the administrative tools, launch DHCP manager.

Under the reservation (don't worry - it'll be clear when you sit in front of it) you need to look for scope options.

In there, you need to set the DNS server to be the DC as above.

But...I would caveat all of that with a word of warning to ask if there's any specific reason the existing DNS server settings point to the gateway (though I can't think of any off-hand).

OK, have checked the scope options on the DC, and it states the DC as the DNS server OK. As regards the gateway, it's the switch between us and the LEA. Before we had the server, and just used a NAS, it acted as de facto DHCP, distributing one range (10.35.8.*), and now we have the server, it distributes another range (10.35.10.*). As regards an external redirect name, we've been given folders.ashgrove.valeofglamorgan.sch.uk, and port 443 has already been released on it (was having problems even getting the rdweb screen on a remote till they did this) and will use portqryui to see if 3389 is free on it too. I'll look into getting an externally signed certificate with all those entries in it. Is it relatively straightforward importing it into the RDserver? Would you be averse to me poking you in the event that I get another blonde moment?
Cheers
Andy

Have just checked 3389 externally from portqry, and it's coming back as filtered/blocked, which was what I got before 443 was released. Is this port specific to RDweb services, or just an "in case" free up.

3389 TCP is the RDP protocol port. I cannot, for the life of me, remember if it's 100% required with RDWeb now so it was more of a in case thing. I think, in honesty, that it is fully encapsulated in the HTTPS stream from point to point so not necessary.

But it does give you a way to remote into a server from home :-)

And as long as you don't use blank/simple administrator passwords you'll be as secure as opening 443 to the same box.

Adding a certificate is not tricky at all.

I have a bookmarked URL at home with step-by-step instructions of all the RDWeb/Farm etc configuration steps. I'll try to remember to look it up and drop it here for you.

I have no problem at all and I'm always happy to help.

If you look at my profile here, you can follow me. You can then always get hold of me via the "hire me" button on my profile even if it is just to ping me a message to say you've opened another question on E-E.

Media Temple is thrilled to announce the launch of our new Partner Program, specifically designed to empower digital agencies and adtech platforms by offering white-glove support and exclusive hosting enhancements to optimize their sites and their c…

Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message.
In the To field, type your recipient's fax number @efaxsend.com.
You can even send a secure international fax — just include t…

Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:
• Key questions to ask when considering a partnership to accelerate your business into the cloud
• Pitfalls and mistakes other partners…